Operating Principle
Controls prevent incidents only when they are owned, verified, and enforced. Activity is not assurance. Deployment is not effectiveness. Evidence is the standard.
Quick Wins
- Patch SLA with verified closure. CVSS 9.0+ on internet-facing systems patched within 72 hours, closed only after independent confirmation.
- Control validation schedule. Quarterly test proving the scanner inspects encrypted traffic correctly; catches tool blindness fast.
- Application-level access scoping. ACIS access reduced to only what it needs; removes the 51-database blast radius.
- Encryption at rest for PII. Database encryption for SSNs/financial records materially reduces harm even if exfiltration occurs.
- Incident declaration triggers trading restrictions. Automatic trading blackout for executives on material incident declaration.
- Notification obligations register. Current, tested notification timelines across jurisdictions; prevents 40-day disclosure delay.
Governance: Control to Failure Mapping
| Failure | Control That Prevents or Limits Impact |
|---|---|
| Patching directive issued by email with no ownership, tracking, or verification. Patch never applied. | Critical security directives must enter a workflow with a named owner, severity-based SLA, automated escalation on breach, and verified closure. The directive stays open until evidence exists. |
| Board received activity briefings without risk indicators, limiting oversight of real exposure. | Board reporting must include standing KRIs: open critical vulnerabilities by age, patch SLA compliance, and control assurance failures. At least one director should have cybersecurity expertise. |
| No trading restrictions activated when a material incident was discovered; executives sold stock before disclosure. | Incident declaration policy must define "material incident" and auto-trigger executive trading blackout — no separate discretionary decision. |
| No defined disclosure decision framework; 40 days elapsed before public notification. | Pre-document disclosure authority, decision criteria, and jurisdiction timelines. Maintain an obligations register with named owners and test annually through simulations. |
Risk Management: Control to Failure Mapping
| Failure | Control That Prevents or Limits Impact |
|---|---|
| Risk response closed on action taken rather than outcome achieved; patch not verified. | Risk closure must require evidence of risk reduction. For patching: clean scan tied to confirmed installation per affected asset. No evidence, no closure. |
| Vulnerability scanning tool blind for 19 months due to expired SSL certificate. | Independent control assurance program that validates output, not presence. Periodically test scanner against known-vulnerable systems; escalate control failures as priority risk. |
| ACIS portal had unrestricted access to 51 internal databases beyond functional need. | Formal application access scoping against documented functional requirement; least privilege enforced. Any excess requires explicit senior risk acceptance or is revoked. |
| No operational monitoring of third-party component disclosures; Struts CVE was public for 78 days. | Maintain an SBOM-style inventory and match live CVE feeds to components in use. Trigger remediation automatically with critical SLA and escalation. |
Compliance: Control to Failure Mapping
| Failure | Control That Prevents or Limits Impact |
|---|---|
| 20 years of identifiable records retained with no lawful basis review; breach scope amplified. | Retention policy mapped to lawful basis and data categories, enforced with automated deletion/anonymization and auditable evidence. |
| 78 days of exfiltration went undetected; no effective monitoring/alerting. | Monitoring tuned to the environment: baseline-driven thresholds for unusual outbound volume, anomalous access patterns, and zone-hopping. |
| No tested notification readiness; 40-day disclosure gap violated multiple notification laws. | Maintain a current obligations register with owners and timelines; rehearse at least annually through simulations. |
Self-Assessment Checklist
Governance
- Critical patch SLAs by severity with named ownership and automated escalation
- Risk closes only on verified outcomes, not completed actions
- Board KRIs include vulnerability aging, SLA compliance, and assurance failures
- Material incident declaration policy documented and communicated
- Trading restrictions activate automatically upon incident declaration
- Disclosure authority and notification timelines documented pre-incident
Risk Management
- Control assurance program validates critical controls on a defined schedule
- SBOM maintained and monitored against live CVE feeds with automatic remediation trigger
- Application/data-store access scoped to functional need and reviewed periodically
- Architecture risk assessments enforced for segmentation and sensitive data paths
Compliance
- Retention policy mapped to lawful basis with deletion/anonymization enforcement and evidence
- Monitoring tuned to baseline; thresholds reviewed periodically
- Notification obligations register current across jurisdictions with named owners
- Notification process tested annually through simulations
Closing Point
This breach was procedurally permitted by missing ownership, missing verification, and missing escalation. Controls work only when they are operated as a management system.
